This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP port range filter

1

Hello,

How might I write a display filter for a tcp port range?

I'm wanting to filter two sets of ranges. TCP/8600-8619 and TCP/8400-8402

thanks,

J

asked 10 Jul '13, 06:43

JTech_17's gravatar image

JTech_17
417712
accept rate: 0%

2 Answers:

0

Please try this:

(tcp.dstport >= 8600 and tcp.dstport <= 8619) or (tcp.dstport >= 8400 and tcp.dstport <= 8402)

HINT: That will only show traffic in one direction, which is from client --> server. However, that should be enough the figure out the tcp stream number, and then filter on that in a second step, possibly with tshark.

tshark -nr input.pcap -R "(tcp.dstport >= 8400 and tcp.dstport <= 8402) or (tcp.dstport >= 8400 and tcp.dstport <= 8402)" -T fields -e tcp.stream | sort

Then use that output and filter on tcp.stream

Regards
Kurt

answered 10 Jul '13, 07:01

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 10 Jul '13, 07:20

Thanks for the extra Tshark component, very nice.

J

(10 Jul '13, 07:57) JTech_17

0

With newer versions of libpcap (0.9.1 and later):

(tcp portrange 8600-8619) or (tcp portrange 8400-8402)

You can break it down further if you care about source or destination ports. As an example:

(tcp dst portrange 8600-8619) or (tcp src portrange 8400-8402)

More information can be found on the manpages

answered 25 Nov '15, 11:49

SwDevMan81's gravatar image

SwDevMan81
363612
accept rate: 50%

edited 25 Nov '15, 11:54

That's a capture filter, not a display filter; it's useful, but it doesn't solve this particular problem.

(26 Nov '15, 13:44) Guy Harris ♦♦